Data Processing and Sharing Agreement

Updated 04 September 2023

This Data Processing and Sharing Agreement (“DPSA”) forms part of the Customer Agreement between the Parties (the “Agreement”), located at https://luminalearning.com/agreement. If a provision in this DPSA conflicts with a provision elsewhere in the Agreement, the provision in this DPSA governs.

1.               Definitions

1.1.           In this DPSA the following words or phrases have the meaning set out alongside them, save to the extent that the context clearly indicates otherwise. Other capitalised terms have the meaning as set out in the Agreement.

Controller: defined in the DPA 2018.

Customer Data: the following Personal Data about Participants:

a)               data the Customer inputs to Lumina Learning’s online system, or that Lumina Learning inputs at the Customer’s direction, such as Participants’ names, email addresses, grammatical gender, and responses to questions or tasks;

b)               data Participants provide to the Customer, or to Lumina Learning acting at the Customer’s direction, via Lumina Learning’s online system, such as their responses to one of Lumina Learning’s online questionnaires; and

c)               Portraits and other Personal Data about Participants found in reports or data that Lumina Learning generates at the Customer’s request from other types of Customer Data.

DPA 2018: the Data Protection Act 2018.

Data Protection Law: the DPA 2018 and any other data protection or privacy law that applies in the circumstances, such as Regulation (EU) 2016/679 (the EU’s GDPR).

Data Subject: defined in the DPA 2018.

Lumina Learning Data: the following Personal Data:

a)               Personal Data Lumina Learning collects about any Data Subject who has an account in Lumina Learning’s online system, such as personal contact details, technical information, and usage details necessary to register their user account and keep Lumina Learning’s systems secure;

b)               Personal Data Lumina Learning or a Lumina Learning Partner collects about the Customer or any Data Subject who acts for the Customer (such as its Practitioners and administrative staff) where necessary for the performance of the Agreement;

c)               Personal Data that Lumina Learning extracts or derives from Customer Data for purposes described in paragraph 3 below (“Lumina Learning Research Data").

Participant: a Data Subject to whom the Customer provides Practitioner Services.

Personal Data: defined in the DPA 2018.

Processor: defined in the DPA 2018.

2.               Roles and Subject Matter: Customer Data

2.1.           The Parties acknowledge that the Customer is a Controller of Customer Data and Lumina Learning is a Processor of Customer Data.

2.2.           Subject matter of processing: Lumina Learning’s supply of Products and Services to the Customer under the Agreement.

2.3.           Duration of processing: for the duration of the Agreement, or until Customer Data is deleted in accordance with the Agreement.

2.4.           Nature and purpose of processing: Lumina Learning will use Customer Data to:

2.4.1.      organise delivery of Products and Services to the Customer;

2.4.2.      generate other forms of Customer Data, such as Portraits and other reports the Customer requests, subject to the commercial terms the Parties have agreed; and

2.4.3.      create Lumina Learning Research Data as described in paragraph 3 below.

2.5.           Type of personal data: Customer Data.

2.6.           Categories of data subjects: Participants.

2.7.           Roles of the Parties: the Parties acknowledge that the Customer is a Controller of Customer Data, and Lumina Learning acts as a Processor of Customer Data on the Customer’s instructions.

3.               Roles and Subject Matter: Lumina Learning Data

3.1.           Lumina Learning will act as a Controller of Lumina Learning Data, using and retaining it according to Lumina Learning’s published privacy notices and internal policies.

3.2.           Nothing in the Agreement is intended to make the Customer a Controller or a Processor of Lumina Learning Data.

3.3.           Lumina Learning may generate Lumina Learning Research Data by extracting it from (or deriving it through analysis of) Customer Data.

3.4.           Lumina Learning may use Lumina Learning Research Data for:

3.4.1.      quality control and validation of Lumina Learning’s psychometric models; and

3.4.2.      creation of pseudonymised or anonymised datasets for use in research and development.

4.               Customer’s Obligations

4.1.           The Customer must:

4.1.1.      comply with all relevant Data Protection Laws; and

4.1.2.      provide Lumina Learning with all information and assistance Lumina Learning reasonably requires to comply with its obligations as a Processor of Customer Data.

5.               Lumina Learning’s Obligations

5.1.           Lumina Learning must:

5.1.1.      process Customer Data only according to the Customer’s reasonable documented instructions (which are deemed to include the contents of the Agreement); and

5.1.2.      take steps to ensure that anyone acting under Lumina Learning’s authority who has access to Customer Data does not process those data except on the Customer’s instructions, unless they are required to do so by Data Protection Law.

5.2.           If, according to Data Protection Law Lumina Learning are required to process Customer Data other than as instructed by the Customer, then Lumina Learning must inform the Customer of the legal requirement before carrying out the processing, unless that law prohibits Lumina Learning from doing so on important grounds of public interest.

5.3.           Lumina Learning must require its Representatives, through legally binding mechanisms such as contracts and employment policies, to handle all Customer Data in strict compliance with Lumina Learning’s obligations under the Agreement.

5.4.           In processing Customer Data, Lumina Learning must secure the data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure and access by implementing and maintaining technical and organisational measures, including all measures set out in the Agreement, that are proportionate to the harm that could result from such events.

5.5.           Except to the extent prohibited by Data Protection Law, Lumina Learning must promptly relay to the Customer any requests, notifications, or complaints from a data subject or a supervisory authority relating to the processing of Customer Data.

5.6.           Regarding any of Customer Data that Lumina Learning processes (or has previously processed), Lumina Learning must assist the Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil the Customer’s obligations as Controller to respond to requests for exercising such a Data Subject’s rights laid down in the applicable Data Protection Legislation.

5.7.           In the event of a Data Breach involving Customer Data that Lumina Learning or any of its sub-processors are or had been processing, Lumina Learning must:

5.7.1.      notify the Customer without undue delay after becoming aware of the Data Breach;

5.7.2.      promptly investigate the causes of the Data Breach, identify the likely effects on the affected data subjects, and develop proposed measures to mitigate further effects and to remedy the Data Breach; and

5.7.3.      not publish any filing, communication, notice, press release, or report concerning the Data Breach, and not communicate directly with data subjects about the Data Breach, without the Customer's prior written consent.

5.8.           The notification described in clause 5.7.1 must, at minimum:

5.8.1.      describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned, the categories and approximate number of Personal Data records concerned, and the names of all affected data subjects;

5.8.2.      communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

5.8.3.      describe the likely consequences of the Data Breach; and

5.8.4.      describe the measures that Lumina Learning proposes to take in order to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.9.           In the event of a conflict between a person’s obligations under the Agreement and the person’s obligations toward a data subject under the applicable Data Protection Legislation, that person must comply with their obligations to the data subject. Lumina Learning must notify the Customer, and give the Customer an opportunity to object, before taking any action that violates a term of the Agreement in order to comply with the data subject’s rights.

5.10.        The Customer may obtain a copy of Customer Data at any time by using the self-service export tools in the Online Account. The Customer acknowledges that some Customer Data is found within Products for which it must pay a Fee or exchange Points.

5.11.        At the Customer’s request, or upon termination of the Agreement, or where clause 5.12 applies, Lumina Learning will delete Customer Data within 30 days, save that Customer Data in Lumina Learning's system backups will be deleted within 120 days. Lumina Learning may retain a copy of Customer Data where this is necessary for it to demonstrate compliance with the Agreement and Data Protection Law.

5.12.        Lumina Learning may cease to process certain Customer Data, for example where a legacy product is retired, subject to providing the Customer with at least 30 days’ notice.

6.               Processing, Sub-Processing and International Transfers

6.1.           The Customer hereby gives Lumina Learning general written instruction to:

6.1.1.      process Customer Data in any manner reasonably required to achieve the purposes of processing;

6.1.2.      engage sub-processors to process Customer Data; and

6.1.3.      transfer Customer Data to any geographic location or international body where reasonably necessary to achieve the purposes of processing, subject to the existence of adequate safeguards.

6.2.           Lumina Learning must ensure that any sub-processor it uses to process Customer Data:

6.2.1.      has committed itself to confidentiality or is under an appropriate statutory obligation of confidentiality; and

6.2.2.      is required, by way of a contract or other legal act under Data Protection Law, to process Customer Data in accordance with Lumina Learning’s obligations under the Agreement, and in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing meets the requirements of the Data Protection Legislation.

6.3.           Lumina Learning may use the sub-processors listed in paragraph 9 below.

6.4.           Lumina Learning may change the list of sub-processors in paragraph 9 if it notifies the Customer in writing at least 1 month before the change. The Customer may object to the change by notifying Lumina Learning in writing, providing reasons for its objection, within 1 month of receiving the initial notice from Lumina Learning. If the Customer does not object within that time, the Customer is deemed to approve the change.

6.5.           If the Customer objects to a change of sub-processors, both Parties must use reasonable endeavours to reach an agreement to resolve the dispute. If the dispute is not resolved within 1 month after the Customer objects, either Party may terminate the Agreement immediately without liability by providing notice to the other Party.

6.6.           Lumina Learning is liable for the acts and omissions of sub-processors in processing Customer Data to the same extent as if it performed the processing.

7.               Audit

7.1.           Regarding the processing of Customer Data, Lumina Learning must make available to the Customer all information necessary to show Lumina Learning’s compliance with its obligations laid down in the Agreement.

7.2.           The Customer may audit Lumina Learning’s compliance with the Agreement. Any audits must:

7.2.1.      be at a mutually agreed time, or in the absence thereof with at least 30 Business Days’ notice;

7.2.2.      take place during Lumina Learning’s normal UK business hours;

7.2.3.      use all reasonable measures to minimise disruption to Lumina Learning’s operations; and

7.2.4.      take place no more than once in any rolling 12-month period.

8.               Term and Termination

8.1.           This DPSA survives termination of the Agreement, for as long as Lumina Learning or its sub-processors hold any copies of Customer Data.

9.               Approved Sub-processors

Sub-processor nameSub-processor locationPurpose of engagement
Amazon Web Services EMEA SARL Luxembourg Online system hosting
Microsoft Ireland Operations Limited Ireland Online system hosting; business administration tools
Steamhaus Limited UK Online system hosting management services
Learning Pool Limited UK Hosting of elements of certain Products and Services (confirmation of Products/Services concerned available on enquiry)
Alchemer LLC USA Hosting of elements of certain Products and Services (confirmation of Products/Services concerned available on enquiry)
Lumina Learning Partner (identity communicated by Lumina Learning) As communicated by Lumina Learning Provision of account management and support to the Customer